CVE-2023-39417
📋 TL;DR
This SQL injection vulnerability in PostgreSQL allows attackers with database-level CREATE privilege to execute arbitrary code as the bootstrap superuser when exploiting improperly quoted extension script variables. It affects PostgreSQL installations with vulnerable non-bundled extensions installed by administrators. The vulnerability requires both a vulnerable extension and attacker database privileges.
💻 Affected Systems
- PostgreSQL
📦 What is this software?
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise leading to arbitrary code execution as bootstrap superuser, potentially allowing complete system takeover and data exfiltration.
Likely Case
Privilege escalation from database-level CREATE privilege to superuser access, enabling data manipulation, additional extension installation, or lateral movement.
If Mitigated
Limited impact if proper privilege separation exists, extensions are from trusted sources only, and CREATE privileges are restricted.
🎯 Exploit Status
Exploitation requires specific conditions: vulnerable extension must exist, attacker needs CREATE privilege, and must craft malicious SQL injection through extension variables.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions (RHSA-2023:7545, RHSA-2023:7579, etc.)
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:7545
Restart Required: Yes
Instructions:
1. Check PostgreSQL version. 2. Apply appropriate Red Hat security update for your PostgreSQL version. 3. Restart PostgreSQL service. 4. Verify patch installation.
🔧 Temporary Workarounds
Restrict CREATE Privilege
allLimit database-level CREATE privilege to trusted users only to reduce attack surface.
REVOKE CREATE ON DATABASE database_name FROM username;
Audit and Remove Vulnerable Extensions
allIdentify and remove non-bundled extensions that use vulnerable variable quoting patterns.
SELECT * FROM pg_extension WHERE extname NOT IN ('plpgsql', '...bundled_extensions...');
DROP EXTENSION vulnerable_extension;
🧯 If You Can't Patch
- Implement strict privilege management: Only grant CREATE privilege to absolutely necessary users.
- Audit all installed extensions: Remove any non-essential extensions, especially from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check PostgreSQL version and installed extensions. Vulnerable if: 1) Version is unpatched, 2) Non-bundled extensions exist, 3) Extension scripts use @extowner@, @extschema@, or @extschema:...@ inside quoting constructs.Check Version:
SELECT version();Verify Fix Applied:
Verify PostgreSQL version matches patched version from Red Hat advisories and restart service.📡 Detection & Monitoring
Log Indicators:
- Unusual CREATE EXTENSION attempts
- SQL errors in extension scripts
- Unexpected privilege escalation attempts
Network Indicators:
- Unusual database connection patterns from users with CREATE privilege
SIEM Query:
source="postgresql.log" AND ("CREATE EXTENSION" OR "@extowner@" OR "@extschema@")🔗 References
- https://access.redhat.com/errata/RHSA-2023:7545
- https://access.redhat.com/errata/RHSA-2023:7579
- https://access.redhat.com/errata/RHSA-2023:7580
- https://access.redhat.com/errata/RHSA-2023:7581
- https://access.redhat.com/errata/RHSA-2023:7616
- https://access.redhat.com/errata/RHSA-2023:7656
- https://access.redhat.com/errata/RHSA-2023:7666
- https://access.redhat.com/errata/RHSA-2023:7667
- https://access.redhat.com/errata/RHSA-2023:7694
- https://access.redhat.com/errata/RHSA-2023:7695
- https://access.redhat.com/errata/RHSA-2023:7714
- https://access.redhat.com/errata/RHSA-2023:7770
- https://access.redhat.com/errata/RHSA-2023:7772
- https://access.redhat.com/errata/RHSA-2023:7784
- https://access.redhat.com/errata/RHSA-2023:7785
- https://access.redhat.com/errata/RHSA-2023:7883
- https://access.redhat.com/errata/RHSA-2023:7884
- https://access.redhat.com/errata/RHSA-2023:7885
- https://access.redhat.com/errata/RHSA-2024:0304
- https://access.redhat.com/errata/RHSA-2024:0332
- https://access.redhat.com/errata/RHSA-2024:0337
- https://access.redhat.com/security/cve/CVE-2023-39417
- https://bugzilla.redhat.com/show_bug.cgi?id=2228111
- https://www.postgresql.org/support/security/CVE-2023-39417
- https://access.redhat.com/errata/RHSA-2023:7545
- https://access.redhat.com/errata/RHSA-2023:7579
- https://access.redhat.com/errata/RHSA-2023:7580
- https://access.redhat.com/errata/RHSA-2023:7581
- https://access.redhat.com/errata/RHSA-2023:7616
- https://access.redhat.com/errata/RHSA-2023:7656
- https://access.redhat.com/errata/RHSA-2023:7666
- https://access.redhat.com/errata/RHSA-2023:7667
- https://access.redhat.com/errata/RHSA-2023:7694
- https://access.redhat.com/errata/RHSA-2023:7695
- https://access.redhat.com/errata/RHSA-2023:7714
- https://access.redhat.com/errata/RHSA-2023:7770
- https://access.redhat.com/errata/RHSA-2023:7772
- https://access.redhat.com/errata/RHSA-2023:7784
- https://access.redhat.com/errata/RHSA-2023:7785
- https://access.redhat.com/errata/RHSA-2023:7883
- https://access.redhat.com/errata/RHSA-2023:7884
- https://access.redhat.com/errata/RHSA-2023:7885
- https://access.redhat.com/errata/RHSA-2024:0304
- https://access.redhat.com/errata/RHSA-2024:0332
- https://access.redhat.com/errata/RHSA-2024:0337
- https://access.redhat.com/security/cve/CVE-2023-39417
- https://bugzilla.redhat.com/show_bug.cgi?id=2228111
- https://lists.debian.org/debian-lts-announce/2023/10/msg00003.html
- https://security.netapp.com/advisory/ntap-20230915-0002/
- https://www.debian.org/security/2023/dsa-5553
- https://www.debian.org/security/2023/dsa-5554
- https://www.postgresql.org/support/security/CVE-2023-39417
